Every month the BugBlog picks its Bug of the Month, representing the most significant bug found in the past month. Sometimes, the bug will be the one which could potentially cause the most damage; sometimes it will be the bug which affects the most users. And sometimes, it will be the bug that is just the most interesting bug. This bug will be selected either from the free Bug of the Day, or from the subscription-only BugBlog Plus.
The Bug of the Month for August 2005 was posted as the Bug of the Day on July 29
After a dispute that was as much legal as technical, Cisco announced that their Internetwork Operating System (IOS) software, if it is enabled for IPv6, may be vulnerable to a denial of service attack as well as the possibility of running code sent by attackers. This type of attack can only be done from a local network segment, so the threat is somewhat tempered. Cisco has fix information at http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml. This bug was discovered by Michael Lynn, who used to work for Internet Security System, and was discussed at the Black Hat Event in Las Vegas. Read about the legal dispute behind this at
http://news.com.com/2100-1002_3-5809390.html.
Why this one? A number of reasons. First, given the market share that Cisco has in routers, this bug could have a significant effect on the Internet, if it is exploited. It may only be a slight exaggeration when it is said that this bug could "bring the Internet to its knees." Second, the researcher who found the bug, Michael Lynn, lost his job for disclosing the bug at the Black Hat Security conference in Las Vegas, after a three-way legal wrangle between Cisco, his former employer ISS, and himself. The legal deal struck basically said that he can't talk about this any more. You can read news reports here, here, here and here.
While Cisco has released fix information, not everyone has implemented the fix yet. And hackers everywhere are trying to figure out what Lynn found, so they can take a crack at crashing the Internet.
Get continuing coverage of bugs, incompatibilities, and things that can go wrong with your computer at the BugBlog.
Article comments